pdnsutil DNAME checks have issues
SivaKesava1 opened this issue · comments
- Program: Authoritative
- Issue Type: Bug report
Short description
The server returns records even if they are occluded by a DNAME. pdnsutil check-all-zones
returns a warning except when the DNAME
is at the root of the zone.
Environment
- Operating system: Ubuntu 18
- Software version: Authoritative Server 4.1.1
- Software source: Ubuntu repository
Steps to reproduce
Consider the following zone file:
campus.edu. | 500 SOA | ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300 |
campus.edu. | 500 NS | ns1.outside.edu. |
d.campus.edu. | 500 DNAME | f.campus.edu. |
c.d.campus.edu. | 500 A | 1.1.1.1 |
For the query <c.d.campus.edu., A>
the PDNS server returns the IP record and doesn't use the DNAME
record. Other implementations either refuse to load the zone file or ignore the records below the DNAME
as suggested by the RFC 6672, section 2.4.
When checked with pdnsutil
, it tells the user about the occlusion:
[Warning] 'c.d.campus.edu|A' in zone 'campus.edu' is occluded by a DNAME at 'd.campus.edu.'
Checked 4 records of 'campus.edu,' 0 errors, 1 warnings.
We generally expect the user to first check with pdnsutil
and fix issues before loading zone files, but it might also be helpful to either turn it into an error or ignore those occluded records.
The other interesting case is the following zone file:
campus.edu. | 500 SOA | ns1.campus.edu. root.campus.edu. 3 86400 7200 604800 300 |
campus.edu. | 500 NS | ns1.outside.edu. |
campus.edu. | 500 DNAME | campus.com. |
foo.campus.edu. | 500 A | 1.1.1.1 |
When the DNAME
record is at the zone apex, then pdnsutil
does not warn and loads the zone file. It returns the IP record when queried for foo.campus.edu.
, preferring it over the DNAME
record.
Expected/Actual behavior
I expected the DNAME
record to be preferred.
Duplicate of #1361 except for the DNAME-at-apex pdnsutil bug.